M
Michael Grossniklaus
hello,
we have two Windows 2000 Advanced Server that manage our domain and
host our active directory. Everything works pretty fine with the
exception of some Windows XP Clients in this domain. When we had to
change the machine names of those computers to conform to our naming
scheme, suddenly the following problems with kerberos began:
1) netdiag complains about a missing host ticket for these machines:
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/innes.globis.infk.d.ethz.ch.
All other tests complete successfully!
2) security event 529 with "Logon Process: Kerberos" and
"Authentication Package: Kerberos" is logged on the faulty machines
(see below).
3) netlogon logs an event that these clients could not authenticate.
we've tried a lot of things to resolve the problem, none of them,
however, worked:
- switching the name of the machine back to what it was before
- resetting the machine account on the dc (netdom and mmc)
- removing and reinserting the machine from and into the domain
- forcing kerberos to use tcp and to log events (group policy
template)
- lowering the refresh interval for kerberos tickets on the dc
- restarting the kdc service on the dcs
from browsing through the ms knowledge base and technet, as well as
user groups, i guess that there is really a problem as this behaviour
is totally reproducible in our domain. (yes, i ruined some other
installations just to be sure.) let's hope microsoft is also aware of
this problem and will fix it sometime. until then i'd welcome wacky
suggestions for further stunts to pull on our domain. true help and
useful suggestions are of course also appreciated!
mfg,
michael.
p.s: is there a "never change the name of a system in a domain"
recommendation i haven't heard of?
---
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/2/2003
Time: 6:56:54 PM
User: NT AUTHORITY\SYSTEM
Computer: INNES
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
we have two Windows 2000 Advanced Server that manage our domain and
host our active directory. Everything works pretty fine with the
exception of some Windows XP Clients in this domain. When we had to
change the machine names of those computers to conform to our naming
scheme, suddenly the following problems with kerberos began:
1) netdiag complains about a missing host ticket for these machines:
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/innes.globis.infk.d.ethz.ch.
All other tests complete successfully!
2) security event 529 with "Logon Process: Kerberos" and
"Authentication Package: Kerberos" is logged on the faulty machines
(see below).
3) netlogon logs an event that these clients could not authenticate.
we've tried a lot of things to resolve the problem, none of them,
however, worked:
- switching the name of the machine back to what it was before
- resetting the machine account on the dc (netdom and mmc)
- removing and reinserting the machine from and into the domain
- forcing kerberos to use tcp and to log events (group policy
template)
- lowering the refresh interval for kerberos tickets on the dc
- restarting the kdc service on the dcs
from browsing through the ms knowledge base and technet, as well as
user groups, i guess that there is really a problem as this behaviour
is totally reproducible in our domain. (yes, i ruined some other
installations just to be sure.) let's hope microsoft is also aware of
this problem and will fix it sometime. until then i'd welcome wacky
suggestions for further stunts to pull on our domain. true help and
useful suggestions are of course also appreciated!
mfg,
michael.
p.s: is there a "never change the name of a system in a domain"
recommendation i haven't heard of?
---
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/2/2003
Time: 6:56:54 PM
User: NT AUTHORITY\SYSTEM
Computer: INNES
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -